Elsevier Hacked: Can we get some basic security for journal editorial systems?

17Dec12

Retraction Watch has a post on the Elsevier Editorial System (ESS) being hacked at some point in the last month, and generating some paper withdrawls because the reviews for it were faked. Sadly, I am not surprised – some of the security measures taken by journals are a touch out-of-date.

This article has been retracted at the request of the Editor-in-Chief.

A referee’s report on which the editorial decision was made was found to be falsified. The referee’s report was submitted under the name of an established scientist who was not aware of the paper or the report, via a fictitious EES account. Because of the submission of a fake, but well-written and positive referee’s report, the Editor was misled into accepting the paper based upon the positive advice of what he assumed was a well-known expert in the field. This represents a clear violation of the fundamentals of the peer-review process, our publishing policies, and publishing ethics standards. The authors of this paper have been offered the option to re-submit their paper for legitimate peer review.

While we live in an age where all websites are vulnerable, I’ve found journal submission/editorial/review sites to have a uniquely lax approach to security. As just one example, I’ve had my password sent to me, in unencrypted plain text by more than one journal’s system.

Plain text. That’s…pretty basic security fail. Right up there with your administrator password being “password”.

I assume it hasn’t been a bigger problem because peer reviewed journals are kind of obscure targets. But apparently not obscure enough.